michal/mcpctl
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

OpenBao provisioning script (recurrence fix) #76

Merged
michal merged 1 commits from feat/openbao-provisioning into main 2026-06-16 22:31:54 +00:00
Conversation 0 Commits 1 Files Changed 1 +96

1 Commits

Author SHA1 Message Date
Michal
7e8568777e feat(ops): idempotent OpenBao provisioning script
Some checks failed
CI/CD / typecheck (pull_request) Successful in 1m4s
Details
CI/CD / lint (pull_request) Successful in 2m30s
Details
CI/CD / test (pull_request) Successful in 1m18s
Details
CI/CD / smoke (pull_request) Failing after 1m49s
Details
CI/CD / build (pull_request) Successful in 4m46s
Details
CI/CD / publish (pull_request) Has been skipped
Details 
scripts/provision-openbao.sh recreates the KV mount + app-mcpd ACL policy +
periodic app-mcpd-role that mcpd's secret backend needs. These were hand-made
and uncaptured, so an OpenBao re-init silently dropped the policy (root cause
of the recurring BACKEND_TOKEN_DEAD / 403-on-secret-write). Now reproducible:
run after any OpenBao (re)init; --seed also mints a token, writes bao-creds,
and restarts mcpd. Mirrors src/shared/src/vault/policy.ts. Idempotent + --dry-run.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
 2026-06-16 23:21:08 +01:00